Ransomware and Google Workspace

It seems like there are more and more ransomware attacks popping up throughout the world everyday. It may come as no shock that schools are often prime targets. The reason for this is simply the number of users we have and the amount of data that we store. While there is no magic checkbox we can select to solve our problem, we can definitely use as many preventive practices as possible to mitigate our associated risk. Google Workspace is great for this because of its global visibility into content around the world and its ability to utilize security at scale.

It’s important to know about the different vectors that attackers use in order to get the user to install their malware. The first and most popular is via email, where the choice of provider can determine a user’s potential exposure. An on-premise email server may appear, at surface level, to be a viable solution. However, if you look at the features you leave on the table, it may be the cause of your problem. Gmail scans your emails prior to populating them in your inbox. Google Workspace’s global visibility can detect and resolve these issues for you automatically. So should you find yourself subjected to an email with malware attached, when utilizing Gmail, you may never even see this email arrive in your inbox. Furthermore, should you have Google Workspace for Education Plus, you can utilize the Gmail security sandbox (Beta), which actually opens and scans all incoming emails and any attachments in a virtual sandbox. Gmail Security Sandbox then performs dynamic malware analysis on those attachments; once again protecting users prior to these emails ending up in their inboxes. In addition to this ability to scan and detect dangerous threats, Google keeps the Gmail Servers constantly up to date. Most Malware out there use known security exploits. You may remember the big one a few years ago, WannaCry, which actually used an exploit that was patched 3-months prior to its first attack. With on-premise servers, you run the risk of missing those updates or opening up the option of end-users choosing to not install them.

For those emails that do make it through, Google Workspace’s built-in security does not end there. Google’s safe browsing will detect dangerous links in emails or show warnings if dangerous links are clicked. Google Safe Browsing goes further and helps protect users from the second most popular vector: web-based attacks.

Web-based attacks are instances where the attacker will try to fool a user by presenting a website that appears to be legitimate, but is actually malicious. Safe Browsing prevents access to these sites and warns users to return to safety. Fraudulent pages are flagged daily and Google is constantly updating its lists of dangerous sites. You can see how Google ranks risky sites by using its transparency tool to see exactly what Google determined to be unsafe about that site.

Suggested article: Your systems weakest link & safeguarding Gmail usage

Our last vector attackers use to spread malware is by exploiting the Operating System itself, as lots of malware and ransomware ultimately spreads via this vector. Whether your users have administrative privileges on their local machines, they are using an unsafe web browser, or are running machines without applying updates, they are operating at a high risk. These high-risk issues can be solved simply by having your users utilize ChromeOS. On ChromeOS, the actual OS is verified on every boot to ensure it has not been modified. In addition, each user profile on the Chrome device (if its a multiple-user device), is encrypted and partitioned, blocking it from being accessed by other users. Lastly, ChromeOS has built-in protection so that each process and tab runs in a siloed environment. This means that an app or website with compromised code cannot affect any other tab or process. Updates are centrally controlled and don’t rely on other vendors to submit patches that may take extended periods of time to apply. ChromeOS releases a new major stable version roughly every 6 weeks, so your Chromebook will always be up to date. Additionally, should Google discover a security threat that cannot wait until the next major release to be addressed, they will introduce a security patch as soon as possible, once again ensuring you are protected before the exploit is even well known! Most users utilizing ChromeOS will predominantly be using Google Drive files (Docs, Sheets, etc.), even further minimizing their exposure risk.

So what happens to our data if, despite all our proactive methods, our systems were still hit with Ransomware? Well, this is where utilizing Google Workspace can again step in to help with such a problem. Even if local machines are compromised and local data and files are potentially lost or encrypted, all Google Drive files would remain unaffected (Docs, Sheets, Slides, etc…) as they have many replicated versions, which can be easily rolled back if the current version becomes compromised. Even if our Google Docs and Sheets were to be modified, we have revision history to be able to restore these items back to a previous state. While this part does not help our legacy files, it may be a reason to start switching to using Google formats as your primary method of file creation. Drive also helps provides some tools to help, should your legacy files stored in Drive be affected. These files also are granted revision history for the last 100 versions. For files under 100MB, upon downloading, Drive will automatically perform a virus scan. If a virus or malware is found, only the original owner will be able to download the file, preventing others from accidentally downloading it. Drive also keeps all files on the web in a non-executable format, saving you from accidentally opening a PDF that was really a .EXE. Opening on the web is generally safer than opening locally, where you run the risk of possibly having something unknowingly executed on your device.

Where does Drive File Stream and Backup and Sync come into play with ransomware? First, let’s talk about how each one works and how it plays into potential exposure.
Drive File Stream does exactly what its name implies, it streams the content down from your Google Drive in real time as the files are accessed, the files are never stored locally on your machine (unless you chose to keep select legacy files offline, you can not store Google Drive files offline). The hot topic question, how does Drive File Stream play into our exposure to ransomware? I have done some small testing to show my research into this topic to show the safety features that File Stream implements and show how common attack vectors are not usable against File Stream.

For this demo (you can access the code I created for this blog post) I have setup a Windows system with a user who has Drive File Stream installed. An assumption for the purpose of this demo: the user has been affected by ransomware from an unknown source. This ransomware is specifically looking to see if Google File Stream is installed, and is only going to try to encrypt these files in file stream.